diff --git a/user/pages/01.basics/02.requirements/docs.md b/user/pages/01.basics/02.requirements/docs.md index 9c5433859..8370a09b7 100644 --- a/user/pages/01.basics/02.requirements/docs.md +++ b/user/pages/01.basics/02.requirements/docs.md @@ -18,8 +18,9 @@ taxonomy: #### Supported Platforms * Officially supported linux distributions, SUSE Linux, Ubuntu, CentOS/Red Hat (Including all RHEL version e.g. 6/7/8), Debian, Rancher OS, CoreOS, AWS 'Bottlerocket'(see Note below) and Photon. +* AMD64 and Arm architectures * CoreOS is supported (November 2023) for CVE scanning through RHEL mapping table provided by RedHat. Once an official feed is published by RedHat for CoreOS it will be supported. -* Officially supported Kubernetes and Docker compliant container management systems. The following platforms are tested with every release of NeuVector: Kubernetes 1.19+, SUSE Rancher (RKE, RKE2, K3s etc), RedHat OpenShift 4.6+ (3.x to 4.12 supported prior to NeuVector 5.2.x), Google GKE, Amazon EKS, Microsoft Azure AKS, IBM IKS, native docker, docker swarm. The following Kubernetes and docker compliant platforms are supported and have been verified to work with NeuVector: VMware Photon and Tanzu, SUSE CaaS, Oracle OKE, Mirantis Kubernetes Engine, Nutanix Kubernetes Engine, docker UCP/DataCenter, docker Cloud. +* Officially supported Kubernetes and Docker compliant container management systems. The following platforms are tested with every release of NeuVector: Kubernetes 1.19-1.29, SUSE Rancher (RKE, RKE2, K3s etc), RedHat OpenShift 4.6+,4.13+ (3.x to 4.12 supported prior to NeuVector 5.2.x), Google GKE, Amazon EKS, Microsoft Azure AKS, IBM IKS, native docker, docker swarm. The following Kubernetes and docker compliant platforms are supported and have been verified to work with NeuVector: VMware Photon and Tanzu, SUSE CaaS, Oracle OKE, Mirantis Kubernetes Engine, Nutanix Kubernetes Engine, docker UCP/DataCenter, docker Cloud. * Docker run-time version: 1.9.0 and up; Docker API version: 1.21, CE and EE. * Containerd and CRI-O run-times (requires changes to volume paths in sample yamls). See changes required for Containerd in the Kubernetes deployment section and CRI-O in the OpenShift deployment section. * NeuVector is compatible with most commercially supported CNI's. Officially tested and supported are openshift ovs (subnet/multitenant), calico, flannel, cilium, antrea and public clouds (gke, aks, iks, eks). @@ -33,7 +34,6 @@ AWS Bottlerocket Note: Must change path of the containerd socket specific to Bot * AWS ECS is no longer supported. (NOTE: No functionality has been actively removed for operating NeuVector on ECS deployments. However, testing on ECS is no longer being perfromed by SUSE. While protecting ECS worlloads with Neuvector likely will operate as expected, issues will not be investigated.) * Docker on Mac * Docker on Windows -* ARM architectire is not currently supported, but being worked on for future releases. * Rkt (container linux) from CoreOS * AppArmor on K3S / SLES environments. Certain configurations may conflict with NeuVector and cause scanner errors; AppArmor should be disabled when deploying NeuVector. * IPv6 is not supported diff --git a/user/pages/02.deploying/02.kubernetes/docs.md b/user/pages/02.deploying/02.kubernetes/docs.md index a477d70fa..72b0e1600 100644 --- a/user/pages/02.deploying/02.kubernetes/docs.md +++ b/user/pages/02.deploying/02.kubernetes/docs.md @@ -257,20 +257,10 @@ Then create the appropriate service(s): kubectl create -f nv_master_worker.yaml -
  • Create the primary NeuVector services and pods using the preset version commands or modify the sample yamls below. The preset versions invoke a LoadBalancer for the NeuVector Console. If using the sample yaml files below replace the image names and <version> tags for the manager, controller and enforcer image references in the yaml file. Also make any other modifications required for your deployment environment (such as LoadBalancer/NodePort/Ingress for manager access etc). -For general containerd runtime (non Rancher/K3s) +
  • Create the primary NeuVector services and pods using the preset version commands or modify the sample yaml below. The preset version invoke a LoadBalancer for the NeuVector Console. If using the sample yaml file below replace the image names and <version> tags for the manager, controller and enforcer image references in the yaml file. Also make any other modifications required for your deployment environment (such as LoadBalancer/NodePort/Ingress for manager access etc). 
    -kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.2.0/neuvector-containerd-k8s.yaml
    -For 5.2.0 with Rancher on K3s containerd run-time: -
    -kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.2.0/neuvector-rancher-containerd-k3s.yaml
    -For 5.2.0 with docker run-time: -
    -kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.2.0/neuvector-docker-k8s.yaml
    -For 5.2.0 with AWS Bottlerocket run-time: -
    -kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.2.0/neuvector-aws-bottlerocket-k8s.yaml
    -Or, if modifying any of the above yaml or samples from below: +kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-k8s.yaml +Or, if modifying the above yaml: 
     kubectl create -f neuvector.yaml
    diff --git a/user/pages/02.deploying/04.openshift/docs.md b/user/pages/02.deploying/04.openshift/docs.md index 59a098471..1ba4c2d91 100644 --- a/user/pages/02.deploying/04.openshift/docs.md +++ b/user/pages/02.deploying/04.openshift/docs.md @@ -250,19 +250,7 @@ If you have created your own namespace instead of using “neuvector”, replace The name of your default OpenShift registry might have changed from docker-registry to openshift-image-registry. You may need to change the image registry for the manager, controller, and enforcer in the sample yaml. Note: Type NodePort is used for the fed-master and fed-worker services instead of LoadBalancer. You may need to adjust for your deployment. -If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-crio-oc.yaml) for the change made to the volumeMounts for controller and enforcer pods: -``` - - mountPath: /var/run/crio/crio.sock - name: runtime-sock - readOnly: true -``` -Also change the volumes from docker.sock to: -``` - - name: runtime-sock - hostPath: - path: /var/run/crio/crio.sock -``` - +If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-crio-oc.yaml) **Master Node Taints and Tolerations** diff --git a/user/pages/06.scanning/02.registry/01.harbor/docs.md b/user/pages/06.scanning/02.registry/01.harbor/docs.md index d29eae3e3..be8aab856 100644 --- a/user/pages/06.scanning/02.registry/01.harbor/docs.md +++ b/user/pages/06.scanning/02.registry/01.harbor/docs.md @@ -30,115 +30,4 @@ Scan results can be viewed directly in Harbor. ![results](3_scanresults.png) #### Sample Deployment Yaml -Below is an example yaml: -``` -apiVersion: apps/v1 -kind: Deployment -metadata: - name: neuvector-scanner-pod - namespace: neuvector -spec: - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - replicas: 1 - selector: - matchLabels: - app: neuvector-scanner-pod - template: - metadata: - labels: - app: neuvector-scanner-pod - spec: - imagePullSecrets: - - name: regsecret - containers: - - name: neuvector-scanner-pod - image: neuvector/scanner:latest - imagePullPolicy: Always - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.neuvector - restartPolicy: Always - hostAliases: - - ip: "10.1.5.106" - hostnames: - - "harbor270.com" ---- - -apiVersion: v1 -kind: Service -metadata: - name: neuvector-service-registry-adapter - namespace: neuvector -spec: - ports: - - port: 9443 #https - #- port: 8090 #http - nodePort: 32000 - name: registry-adapter - protocol: TCP - type: LoadBalancer - selector: - app: neuvector-registry-adapter-pod ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: neuvector-registry-adapter-pod - namespace: neuvector -spec: - selector: - matchLabels: - app: neuvector-registry-adapter-pod - replicas: 1 - template: - metadata: - labels: - app: neuvector-registry-adapter-pod - spec: - serviceAccount: basic - serviceAccountName: basic - imagePullSecrets: - - name: regsecret - containers: - - name: neuvector-registry-adapter-pod - image: neuvector/registry-adapter:latest - imagePullPolicy: Always - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.neuvector - - name: HARBOR_SERVER_PROTO - value: https #Need to mod. http/https - - name: HARBOR_BASIC_AUTH_USERNAME - valueFrom: - secretKeyRef: - name: neuvector-registry-adapter - key: username - - name: HARBOR_BASIC_AUTH_PASSWORD - valueFrom: - secretKeyRef: - name: neuvector-registry-adapter - key: password - restartPolicy: Always -``` - -For OpenShift 4.6+, also add the route: -``` -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: neuvector-route-registry-adapter - namespace: neuvector -spec: - to: - kind: Service - name: neuvector-service-registry-adapter - port: - targetPort: registry-adapter - tls: - termination: passthrough -``` - +Samples for [Kubernetes](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-registry-adapter-k8s.yaml) and [OpenShift](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-registry-adapter-oc.yaml)